BLEICHMAR FONTI & AULD LLP SIMMONS HANLY CONROY LLC … · 2020. 8. 14. · BLEICHMAR FONTI & AULD LLP 555 12 Street, Suite 1600 Oakland, CA 994607 Tel.: (415) 445-4003 Fax: (415)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Case No. CLASS ACTION COMPLAINT

Lesley Weaver (Cal. Bar No.191305) Angelica M. Ornelas (Cal. Bar No. 285929) Joshua D. Samra (Cal. Bar No. 313050) BLEICHMAR FONTI & AULD LLP 555 12th Street, Suite 1600 Oakland, CA 994607 Tel.: (415) 445-4003 Fax: (415) 445-4020 [email protected] [email protected] [email protected]

Mitchell M. Breit (pro hac vice to be sought) Jason ‘Jay’ Barnes (pro hac vice to be sought) An Truong (pro hac vice to be sought) Eric Johnson (pro hac vice to be sought) SIMMONS HANLY CONROY LLC 112 Madison Avenue, 7th Floor New York, NY 10016 Tel.: (212) 784-6400 Fax: (212) 213-5949 [email protected] [email protected] [email protected] [email protected]

Laurence D. King (Cal. Bar No. 206423) Mario Choi (Cal. Bar No. 243409) KAPLAN FOX & KILSHEIMER LLP 1999 Harrison Street, Suite 1560 Oakland, CA 94612 Tel.: (415) 772-4700 Fax: (415) 772-4707 [email protected] [email protected] Attorneys for Plaintiffs

David A. Straite (pro hac vice to be sought) Aaron L. Schwartz (pro hac vice to be sought) KAPLAN FOX & KILSHEIMER LLP 850 Third Avenue New York, NY 10022 Tel.: (212) 687-1980 Fax: (212) 687-7715 [email protected] [email protected]

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA

SAN JOSE DIVISION

PATRICK CALHOUN, ELAINE CRESPO, HADIYAH JACKSON and CLAUDIA KINDLER, on behalf of themselves and all others similarly situated,

Plaintiffs, v. GOOGLE LLC,

Defendant.

No. ___________________________

CLASS ACTION COMPLAINT DEMAND FOR JURY TRIAL

PUBLIC REDACTED VERSION WITH PLAINTIFFS’ SENSITIVE PERSONAL

INFORMATION PROVISIONALLY REDACTED PENDING MOTION TO SEAL

Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 1 of 93

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

TABLE OF CONTENTS

Page

- i - Case No. CLASS ACTION COMPLAINT

I. INTRODUCTION ................................................................................................................ 1

II. JURISDICTION AND VENUE ........................................................................................... 3

A. Personal Jurisdiction ................................................................................................ 3

B. Subject Matter Jurisdiction ...................................................................................... 3

C. Venue ....................................................................................................................... 3

III. THE INTRADISTRICT ASSIGNMENT ............................................................................. 4

IV. PARTIES .............................................................................................................................. 4

V. FACTUAL ALLEGATIONS ............................................................................................... 5

A. Contract Formation .................................................................................................. 5

B. Relevant Contract Terms.......................................................................................... 8

C. Google Improperly Collects Personal Information from Un-Synched Chrome Users Without Consent and in Breach of Contract .................................. 10

1. Definition of Personal Information ............................................................ 10

2. An IP Address + User Agent Is Personal Information ............................... 12

3. Persistent Cookies Are Personal Information ............................................ 13

4. X-Client Data Headers Are Personal Information ..................................... 16

5. Browsing History is Personal Information ................................................. 19

D. Chrome’s Promise Not To Share PI With Google if Not Synched Was Intended To Encourage, Not Diminish, User Engagement .................................... 20

E. How Google Instructs Chrome to Report PI to Google ......................................... 23

F. A Sample Visit to The San Jose Mercury News Website Using Chrome – Comparison Between a “Synched” Session and “Un-synched” Session ............... 28

G. Plaintiffs’ Personal Experiences ............................................................................ 33

H. Google’s Improper Collection of PI from Plaintiffs and Other Un-Synched Chrome Users is a Serious Invasion of the Privacy and is Highly Offensive ........ 50

I. Plaintiffs’ PI Is Property Owned by the Plaintiffs and Has Economic Value ........ 52

J. Plaintiffs Have Suffered Economic Injury ............................................................. 55

K. Google Has Been Unjustly Enriched ..................................................................... 58

VI. CLASS ACTION ALLEGATIONS ................................................................................... 63

VII. COUNTS ............................................................................................................................. 65


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

TABLE OF CONTENTS (cont’d.)

Page

- ii - Case No. CLASS ACTION COMPLAINT

COUNT ONE WIRETAP ACT: UNAUTHORIZED INTERCEPTION OF ELECTRONIC COMMUNICATIONS ....................................................................... 65

COUNT TWO WIRETAP ACT – UNAUTHORIZED DISCLOSURES BY AN ECS 18 U.S.C. § 2510, et. seq. ..................................................................................... 68

COUNT THREE STORED COMMUNICATIONS ACT – UNAUTHORIZED ACCESS TO STORED ECS COMMUNICATIONS 18 U.S.C. § 2701 ........................... 70

COUNT FOUR STORED COMMUNICATIONS ACT – UNAUTHORIZED DISCLOSURES OF STORED COMMUNICATIONS BY AN ECS 18 U.S.C. § 2701 ................................................................................................................. 72

COUNT FIVE VIOLATION OF THE CALIFORNIA INVASION OF PRIVACY ACT (“CIPA”) Cal. Penal Code §§ 631 ........................................................... 72

COUNT SIX INVASION OF PRIVACY ......................................................................... 74

COUNT SEVEN INTRUSION UPON SECLUSION ....................................................... 76

COUNT EIGHT BREACH OF CONTRACT ................................................................... 77

COUNT NINE BREACH OF THE IMPLIED COVENANT OF GOOD FAITH AND FAIR DEALING .......................................................................................... 78

COUNT TEN QUASI-CONTRACT (RESTITUTION AND UNJUST ENRICHMENT) (IN ALTERNATIVE TO CONTRACT CLAIMS)................................ 79

COUNT ELEVEN VIOLATION OF COMPUTER FRAUD AND ABUSE ACT (“CFAA”) 18 U.S.C. §1030(g) ........................................................................................... 79

COUNT TWELVE VIOLATION OF CALIFORNIA COMPUTER DATA ACCESS AND FRAUD ACT Cal. Penal Code § 502 ...................................................... 80

COUNT THIRTEEN STATUTORY LARCENY California Penal Code §§ 484 and 496 .................................................................................................................... 82

COUNT FOURTEEN VIOLATIONS OF THE CALIFORNIA UNFAIR COMPETITION LAW (“UCL”) Cal. Bus. & Prof. Code § 17200, et seq. ........................ 83

COUNT FIFTEEN PUNITIVE DAMAGES Cal. Civ. Code § 3294 ................................ 85

COUNT SIXTEEN DECLARATORY RELIEF 28 U.S.C. § 2201(a) .............................. 85

VIII. PRAYER FOR RELIEF ...................................................................................................... 86

IX. JURY TRIAL DEMAND ................................................................................................... 87


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

- 1 - Case No. CLASS ACTION COMPLAINT

I. INTRODUCTION

1. This is a nationwide data privacy class action brought by and on behalf of Google

Chrome users who chose not to “Sync” their browsers with their Google accounts while browsing

the web (“Un-Synched Chrome Users”) from July 27, 2016 to the present (the “Relevant Period”).

2. Google expressly promises Chrome users that they “don’t need to provide any

personal information to use Chrome” and that “[t]he personal information that Chrome stores won’t

be sent to Google unless you choose to store that data in your Google Account by turning on

sync[.]”

3. Despite these express and binding promises, Google intentionally and unlawfully

causes Chrome to record and send users’ personal information to Google regardless of whether a

user elects to Sync or even has a Google account.

4. Examples of personal data improperly created and sent to Google by Chrome

include:

a. IP addresses linked to user agents;

b. Unique, persistent cookie identifiers including the Client ID;

c. Unique browser identifiers called X-Client Data Headers; and

d. Browsing history.

5. This Complaint provides specific examples of the personal data flow that Chrome

sent from Plaintiffs’ devices as they used Chrome while not Synched, demonstrating that Chrome

secretly sends personal information to Google even when a Chrome user does not Sync.

6. Google’s contract with Chrome users designates California law, and consistent with

California law, defines “Personal Information” as “information that you provide to us which

personally identifies you . . . or other data that can be reasonably linked to such information by

Google, such as information we associate with your Google Account.”

7. Each category of data identified above is “personal information” because it either

personally identifies the user or can be reasonably linked to such information. Furthermore, Google

affirmatively discloses that it associates data gathered from Chrome with users. Google has

therefore breached its contract with Un-Synched Chrome Users.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


8. The improperly collected web browsing history also consists of electronic

communications that contain content protected by California and federal wiretap laws. Google

collects the content contemporaneously with the communications; Google does not obtain consent

from Un-Synched Chrome Users to intercept these communications; and Google is not a party to

them. Google is thus violating the federal Electronic Communications Privacy Act and analogue

California statutes.

9. Google’s actions are a serious violation of user privacy. Google tracking code is

found on websites accounting for more than half of all internet traffic and Chrome is the dominant

web browser (used on a majority of desktop computers in the United States), giving Google

unprecedented power to surveil the lives of more than half of the online country in real time. And

because some of Google’s third-party tracking cookies are disguised as first-party cookies to

facilitate cookie synching, Google is misrepresenting its privacy practices in ways that have been

successfully challenged by the FTC in the past.1

10. Google’s extensive network of affiliates—Google Sites, Google Apps, Google

Account, Google Drive, Google AdWords—as well as its business partnerships means that sharing

information with Google feeds it into a massive interconnected database of surveillance material.

Google’s surveillance of the Plaintiffs and other Un-Synched Chrome Users directly contradicts its

promises to honor users’ choice not to share data. This is a serious and irreversible invasion of

privacy that is invisible to Google users.

11. Google’s actions also constitute rank theft. Plaintiffs’ PI is a form of property

recognized under California law and has economic value in the marketplace. Taking Plaintiffs’ PI

from their computers without consent is larceny; any profits earned on the PI are unjustly earned at

the expense of Plaintiffs and must be disgorged. Had Google been transparent about its level of

surveillance, user engagement—a key metric for Google’s sales—would have decreased.

12. Google’s actions also constitute unlawful computer intrusion under California and

federal law. Google introduced computer code into Plaintiffs’ computers and caused damage

1 United States v. Google, Inc., 12-cv-4177-SI (N.D. Cal.), complaint dated Aug. 8, 2012, at ¶ 46-47.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


without authorization by turning the computers into surveillance machines that reported Plaintiffs’

personal information, including private web browsing, to Google, in real time.

13. Plaintiffs and the other Un-Synched Chrome Users have suffered privacy harm and

economic harm as a result of Google’s wrongful acts. Plaintiffs therefore bring contract, statutory,

common law and equitable claims against Google for money damages, restitution, disgorgement,

punitive damages and injunctive relief.

II. JURISDICTION AND VENUE

A. Personal Jurisdiction

14. This Court has personal jurisdiction over Defendant because Defendant is

headquartered in this District. Google also concedes personal jurisdiction in the current and prior

general Google Terms of Service. See Exhibits 2 through 4.

B. Subject Matter Jurisdiction

15. This Court has subject matter jurisdiction over the federal claims in this action,

namely the Federal Wiretap Act, 18 U.S.C. § 2511 (the “Wiretap Act”), the Stored Communication

Act, 18 U.S.C. § 2701 (“SCA”), the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the

“CFAA”) and request for Declaratory Relief under 18 U.S.C. § 2201, pursuant to 28 U.S.C. § 1331.

16. This Court also has subject matter jurisdiction over this entire action pursuant to the

Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d), because this is a class action in which

the amount in controversy exceeds $5,000,000, and at least one member of the class is a citizen of

a state other than California or Delaware.

17. This Court also has supplemental jurisdiction over the state law claims in this action

pursuant to 28 U.S.C. § 1367 because the state law claims form part of the same case or controversy

as those that give rise to the federal claims.

C. Venue

18. Venue is proper in this District because the Defendant is headquartered in this

District. In addition, in the current Google general Terms of Service and prior versions, Google

purports to bind Plaintiffs to bring disputes in this District. See Exhibits 2 through 4.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


laptops and never consented to Chrome sharing her Personal Information, including the contents of

her Internet communications, with Google. Despite her lack of consent and expressly promising

otherwise, Chrome shared Jackson’s personal information with Google, including the content of

her communications. Plaintiff has temporarily stopped using Chrome but wishes to use it again

once Google stops tracking un-synched users.

23. Plaintiff Claudia Kindler is an adult domiciled in California. Plaintiff has used the

Chrome browser on her personal laptop for numerous activities, including exchanging

communications with her banks, healthcare providers, and continuing education providers for her

employment. Kindler has also routinely used the Chrome browser to exchange communications

about politics and more. Plaintiff has not enabled Sync with her Google accounts on her personal

laptops and never consented to Chrome sharing her Personal Information, including the contents of

her Internet communications, with Google. Despite her lack of consent and expressly promising

otherwise, Chrome shared Kindler’s personal information with Google, including the content of

her communications. Plaintiff has temporarily stopped using Chrome but wishes to use it again

once Google stops tracking un-synched users.

24. Google LLC (“Google”) is a Delaware Limited Liability Company based at

1600 Amphitheatre Way, Mountain View, California, whose memberships interests are entirely

held by its parent holding company, Alphabet, Inc. (“Alphabet”), headquartered at the same

address. Alphabet trades under the stock trading symbols GOOG and GOOGL. Alphabet generates

revenues primarily by delivered targeted online advertising through the Google LLC subsidiary.

All operations relevant to this complaint are run by Google LLC.

25. In this Complaint, “Google” refers to Google LLC unless otherwise specified

V. FACTUAL ALLEGATIONS

A. Contract Formation

26. The current contract governing the relationship between Google and Chrome with

respect to Chrome consists of three documents: the Google general Terms of Service dated

March 31, 2020 (Exhibit 4) (“General TOS”); the Google Chrome and Chrome OS Additional


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


34. At all times during the Relevant Period, therefore, the Chrome Privacy Notice was

a part of the contract between Plaintiffs and Google and supersedes any conflicting term in the

General TOS.

B. Relevant Contract Terms

35. The Chrome Privacy Notice represents that it is the place where users can “Learn to

control the information that’s collected, stored, and shared when you use the Google Chrome

browser[.]” See Ex. 33.

36. In the Chrome Privacy Notice, Google promised that Chrome would not send any

Personal Information to Google unless the Chrome User affirmatively chose to Sync the browser

with his or her Google Account.

37. Specifically, from June 2016 to present, all versions of the Chrome Privacy Notice

have promised that “You don’t need to provide any personal information to use Chrome.” See

Exs. 17-33.

38. In addition, all versions of the Chrome Privacy Notice have promised that Chrome

will not send Personal Information to Google unless the Chrome user chooses to Sync the browser

with his or her Google account:

a. From January 30, 2019 to the present, Google promises that “the personal

information that Chrome stores won’t be sent to Google unless you choose to

store that data in your Google Account by turning on sync.” See Exs. 28-33.

b. From September 24, 2018 to January 30, 2019, Google promised that “the

personal information that Chrome stores won’t be sent to Google unless you

choose to store that data in your Google Account by turning on Chrome

sync.” See Exs. 25-27.

c. Prior to September 24, 2018, the Chrome Privacy Notice promised “The

personal information that Chrome stores won’t be sent to Google unless you

choose to store that data in your Google Account by signing in to Chrome.

Signing in enables Chrome’s synchronization feature.” See Exs. 17-24.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


Personal information includes, but is not limited to, the following if it identifies, relates to,

describes, is reasonably capable of being associated with, or could be reasonably linked, directly

or indirectly, with a particular consumer or household:

a. Identifiers such as a real name, alias, postal address, unique personal

identifier, online identifier, internet protocol address, email address, account

name, social security number, driver’s license number, passport number, or

other similar identifiers;

b. Any categories of personal information described in subdivision (e) of

Section 1798.80.

c. Characteristics of protected classifications under California or federal law;

d. Commercial information, including records of personal property, products

or services purchased, obtained, or considered, or other purchasing or

consuming histories or tendencies;

e. Biometric information;

f. Internet or other electronic network activity information, including, but not

limited to, browsing history, search history, and information regarding a

consumer’s interaction with an internet website, application, or

advertisement;

g. Geolocation data;

h. Audio, electronic, visual, thermal, olfactory, or similar information;

i. Professional or employment-related information;

j. Education information, defined as information that is not publicly available

personally identifiable information as defined in the Family Educational

Rights and Privacy Act (20 U.S.C. § 1232(g); 34 C.F.R. Part 99);

k. Inferences drawn from any of the information identified in this subdivision

to create a profile about a consumer reflecting the consumer’s preferences,

characteristics, psychological trends, predispositions, behavior, attitudes,

intelligence, abilities, and aptitudes.”


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


Cal. Civ. Code § 1798.140(o)(1) (emphasis added).

44. The Google general Privacy Policy also expressly tracks the California statutory

definition of “personal information,” defining it as “information that you provide to us which

personally identifies you, such as your name, email address, or billing information, or other data

that can be reasonably linked to such information by Google, such as information we associate

with your Google Account.” See Ex. 16 (emphasis added).

45. The following data qualifies as personal information when Google code instructs

the Google Chrome browser to report it to Google:

a. IP addresses linked to user agent;

b. Session and Persistent cookie identifiers;

c. X-client-data headers; and

e. Browsing history and information regarding a consumer’s interaction with

an Internet website.

46. Google is reasonably capable of linking IP addresses (including those linked to user

agent), persistent cookie identifiers, X-client-data headers, and web browsing history and

information regarding a consumer’s interaction with an Internet website, and, in fact, does link such

information with individual consumers and their devices.

2. An IP Address + User Agent Is Personal Information

47. An IP address is a number that identifies a computer connected to the Internet.

48. IP addresses are used to identify and route communications on the Internet.

49. An IP address is not the same thing as a URL.

50. IP addresses of individual Internet users are used by Internet service providers,

websites, and tracking companies to facilitate and track Internet communications.

51. Google tracks IP addresses associated with specific Internet users.

52. Google is capable of and does in fact associate specific users with specific IP

addresses. For example, when a user signs into a Gmail account, Google associates the personal

information connected with that email account to the IP address in question.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


53. Even if a specific IP address is shared by multiple devices on a single network,

Google is capable of and does, in fact, associate specific users with specific IP addresses. Google

does so through its use of other identifiers tied to an IP address, including User-Agent, which is a

list of properties identifying a device within a network.

54. Because Google collects the IP Address and user agent information together, Google

can identify a user’s individual device even if more than one device shares the same IP Address.

3. Persistent Cookies Are Personal Information

55. A cookie is a small text file that a web-server can place on a person’s web browser

and computing device when that person’s web browser interacts with the website server.

56. Cookies can perform different functions. Eventually, some cookies were designed

to acquire and record an individual Internet user’s communications and activities on websites across

the Internet.

57. Cookies are designed to and, in fact, do operate as a means of identification for

Internet users.

58. In general, cookies are categorized by (1) duration and (2) party.

59. There are two types of cookies classified by duration:

a. “Session cookies” are placed on a user’s computing device only while the

user is navigating the website that placed and accesses the cookie during a

single communication session. The user’s web browser deletes session

cookies when the user closes the browser.

b. “Persistent cookies” are designed to survive beyond a single Internet-

browsing session. The party creating the persistent cookie determines its

lifespan. As a result, a persistent cookie can acquire and record a user’s

Internet communications for years and over dozens, hundreds, or thousands

of websites. Persistent cookies are sometimes called “tracking cookies.”

60. Cookies are also classified by the party that uses the collected data:

a. “First-party cookies” are set on a user’s device by the website with which

the user is exchanging communications. For example, Google uses cookies


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


on users’ browsers when users’ directly visit Google properties such as

Gmail. First-party cookies can be helpful to the user, server, and/or website

to assist with security, log-in, and functionality.

b. “Third-party cookies” are set on a user’s device by website servers other than

the website or server with which the user is exchanging communications.

For example, the same Gmail user might also have cookies on their Chrome

browser that are set by Google’s other services such as Google Ads or

Google Doubleclick. Unlike first-party cookies, third-party cookies are not

typically helpful to the user. Instead, third-party cookies are typically used

for data collection, behavioral profiling, and targeted advertising.

61. Google uses several cookies to identify specific Internet users and their devices,

including the following:

SID HSID

These cookies contain digitally signed and encrypted records of a user’s Google account ID and most recent sign-in time. They are unique and persistent on a user’s device for two years or more.

_Secure-SSID _Secure-HSID

These cookies are “secure” cookies that Google sets and accesses when a user signs into a Gmail account and does not formally log-off even after the user has left the Gmail website. They are unique and persistent on a user’s device for six months or more.

NID The NID cookie contains a unique ID Google uses to remember user preferences and other information, including, for example, how many search results they wish to have shown per page and whether they have Google’s SafeSearch filter turned on. NID is also used to help customize ads on Google properties, like Google search. NID is unique and persistent on a user’s device for two years or more.

SSID APISID SAPISID

These cookies are unique and persistent on a user’s device for two years or more. Google does not publicly state their purpose.

_Secure-3PSID _Secure-APISID Secure-3PAPISID

These cookies are “secure” cookies that Google sets and accesses when a user signs into a Gmail account and does not formally log-off even after the user has left the Gmail website.

IDE Google uses the IDE cookie for advertising. It is unique and persistent on a user’s device for two years or more.

DSID Google also uses the DSID cookie for advertising. It is unique and persistent on a user’s device for two years or more.

62. Google also engages in a controversial practice known as “cookie synching” which

further allows Google to associate cookies with specific individuals. With cookie synching, first-


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


party cookies are set by websites with which users are directly interacting, but then those first-party

websites also pass that cookie values along to Google Analytics, where Google takes the personal

information it has about the user’s particular browser and links the Google Analytics first-party

cookie information to Google’s own third-party cookies and the user’s browsing.

63. Based on an Internet security policy known as the same-origin policy, web-browsers

are supposed to prevent different entities from accessing each other’s cookies. For example, at the

San Jose Mercury News website, Google would be prevented from accessing the new site’s “first-

party” cookie values. And vice-versa, the San Jose Mercury News would be prevented from

accessing Google.com’s third-party cookie values.

64. However, Javascript source code running on a webpage can bypass the same origin

policy protections by sending a putative ‘first-party’ cookie value in a tracking pixel to a third-party

entity. This technique is known in the Internet advertising business as “cookie synching.”

65. Cookie synching allows cooperating websites to learn each other’s cookie

identification numbers for the same user. Once the cookie synching operation is complete, the two

websites exchange information that they have collected and hold about a user, further making these

cookies “Personal Information.”

66. The Google cookie-synching cookie is called “cid,” which is short for the “Client

ID” that Google assigns to a specific user. As Google admits in its Google Analytics documentation

for web-developers, the cid cookie is personal information:

In order for Google Analytics to determine that two distinct hits belong to the same user, a unique identifier, associated with that particular user, must be sent with each hit. The analytics.js library accomplishes this via the Client ID field, a unique, randomly generated string that gets stored in the browser’s cookies, so subsequent visits to the same site can be associated with the same user.7

67. Chrome shares the Client ID value with Google regardless of a user’s Sync status or

log-in status with Google Ads, Google Doubleclick, and Google Analytics. Even worse, Chrome

shares Google’s cid cookie value with Google even when third-party cookies are blocked.

7 https://developers.google.com/analytics/devguides/collection/analyticsjs/cookies-user-id.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


Disguising third-party tracking cookies as first-party cookies is a deceptive privacy practice already

successfully challenged by the FTC when Google attempted it in 2011. United States v. Google, Inc.,

12-cv-4177-SI (N.D. Cal.), complaint dated Aug. 8, 2012, at ¶ 46-47.

68. In addition to sending Google the “CID” cookie value, Chrome also sends cookie-

synched values for Google cookies named _gads ID, _gcl_au/auiddc, and _gid to Google.

4. X-Client Data Headers Are Personal Information

69. The x-client-data header is an identifier that when combined with IP address and

user-agent, uniquely identifies every individual download version of the Chrome browser.

70. The x-client-data identifier is sent from Chrome to Google every time users

exchange an Internet communication, including when users log-in to their specific Google

accounts, use Google services such as Google search or Google maps, and when Chrome users are

neither signed-in to their Google accounts nor using any Google service.

71. Chrome has created and sent the x-client-data identifier to Google with every

communication users exchange since at least March 6, 2018.

72. The x-client-identifier is not disclosed in any term of service or privacy policy

operative at any time.

73. It is also not hyperlinked to any of these policies and the average, reasonable

Chrome user had no reason to know of its existence.

74. Google first publicly admitted to the existence of the x-client-data identifier to the

tech community in a document called the Chrome Privacy White Paper, published on March 6,

2018. The White Paper assisted developers on the “read” side—or surveillance side—with

developing products that could extract this information and further pair it with existing data.

75. The White Paper is authored by Google and makes several admissions relevant to

this action, as well as furthering the impression that Chrome was not sending personal information

to Google in violation of its express promises.

76. The White Paper begins by stating, “This document describes the features in

Chrome that communicate with Google, as well as with third-party services (for example, if you've

changed your default search engine).”


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


77. Despite claiming the it would “describe[] the features in Chrome that communicate

with Google[,]” the White Paper does not disclose that Chrome sends users’ personal information

to Google regardless of whether users are logged-in to their Google Sync account or not.

78. Initially, the White Paper falsely represented that the x-client data identifier, which

it called a “Chrome-Variations header” did “not contain any personally identifiable information

and will only describe the state of the installation of Chrome itself, including active variations, as

well as server-side experiments that may affect the installation.”8

79. However, on September 24, 2018, researcher and technologist Vincent Toubiana

with ARCEP (a French Telecom regulator), who runs the blog www.unsearcher.org, took notice of

X-client-data. What he learned alarmed him:

“The x-client-data header

This is probably the most problematic header and I did not see it mention anywhere else than in the whitepaper. Most users are not aware of it but this header is sent with every request sent to Google services (and only Google services) to do A/B testing. Google services include most Google domains, including Doubleclick. Even when Google is a third party, the header is sent. Because it’s a header and not a cookie, it is sent even when you block cookies.

. . . .

So not only does this header may [sic] have some privacy implications, it makes the browser not neutral as it gives more data to Google services.

…

Conclusion

. . . by using custom headers, Google is less and less dependent on third party cookies. I would not be surprised if Chrome started to block third party cookies. Actually this may be in Google financial interest to do that.9

8 https://web.archive.org/web/20180505082442/https://www.google.com/chrome/privacy/whitepaper.html

9 https://unsearcher.org/more-on-chrome-updates-and-headers


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


80. On January 14, 2020, Google announced that Chrome would be phasing out the use

of third-party cookies over two years. Google cynically claimed that its decision was driven by the

fact that “[u]sers are demanding greater privacy—including transparency, choice, and control over

how their data is used.”10 Left unsaid was the fact that Chrome’s x-client header can now uniquely

identify a majority of web-browsers in the United States, and Google does not need tracking

cookies anymore. Now that Google controls both the online ad market and the browser market

simultaneously, blocking third-party cookies simply blocks competing trackers, while Google has

a method to continue back-door tracking through the unique browser identifier created and

disclosed by its browser without any notification to users.

81. In addition to uniquely identifying Plaintiffs’ browsers, Google also uses the x-

client-identifier to track them across other Google services. For example, on February 4, 2020,

Arnaud Granal, the developer of the Kiwi Browser (a Chromium-based alternative browser for

Android) discovered and disclosed that x-client-data is “a unique ID to track a specific Chrome

instance across all Google properties,” including, in his example, YouTube and Doubleclick.11

82. Similarly, Kyle Bradshaw at www.9to5google.com explained the x-client-data

identifier “is sent to those Google servers regardless of whether you’re logged in with your Google

Account or not, which could theoretically tie your logged-out browsing back to your Google

Account.”12

83. Bradshaw further explained, “Putting it all together, the accusation being leveled

against Google by the tech community is that the company is making it harder for competing ad

networks and other third-parties to track your browsing while their own purported tracking method

is able to continue uninhibited.” Regardless of the impact on competitors, the impact on Plaintiffs

and the Class is significant—they cannot escape this new and even more secretive form of

surveillance.

10 https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html

11 https://github.com/w3ctag/design-reviews/issues/467#issuecomment-581944600

12 https://9to5google.com/2020/02/06/google-chrome-x-client-data-tracking/


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


84. Following the revelations above, Google quietly amended its White Paper to remove

its false representations about the x-client header. For example, on March 12, 2020, in an article

called “Google Backpedals on Claim that X-Client-Data Doesn’t Contain PI Information,” it was

reported by VPN Overview:

Originally the information about the X-Client-Data header in the whitepaper was as follows: “A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.” In the latest version of the whitepaper, the text stating that the X-Client-Data header doesn’t contain any PI information has been removed.13

85. VPN Overview further explained:

The fact that Google may be tracking users through the X-Client-Data header, is in itself of concern. However, it is not the most important issue here. Google probably has other means for tracking users. Of greater concern is the fact that Google did not disclose what it was using the header for. Google is tracking users without their knowledge, which is a violation of users’ privacy. Furthermore, the original description of the header’s use was incredibly inaccurate and likely to have been in breach of legal compliance requirements.

86. As of the date of filing, Google still has not fixed the Chrome Privacy Notice, the

Google general Terms of Use, or the Google Privacy Policy to accurately disclose the X-Client-

Data identifier and its uses.

5. Browsing History is Personal Information

87. Browsing history consists of a record of a communication or communications that

a user exchanges on the Internet and includes both the content of the communication or

communications and data associated with it, such as the time of the communication or

communications.

88. California law defines “personal information” to include browsing history,

specifically, “Internet or other electronic network activity information, including, but not limited

13 https://vpnoverview.com/news/google-backpedals-on-claim-that-x-client-data-doesnt-contain-pi-information/


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


to, browsing history, search history, and information regarding a consumer’s interaction with an

internet website, application, or advertisement.” Cal. Civ. Code § 1798.140(o)(1)(F).

89. Google also defines “personal information” to include browsing history in the

Chrome Privacy Notice.

D. Chrome’s Promise Not To Share PI With Google if Not Synched Was Intended To Encourage, Not Diminish, User Engagement

90. Google’s motivation to breach its privacy promises to Un-Synched Chrome Users

was to increase user engagement and increase revenue for Google. Higher user engagement means

more revenue in that moment for Google, and also more data about the users that can lead to more

revenue. By promising more privacy, Google induces more private sharing, which is a more

profitable kind of user engagement.

91. “User engagement” is the degree to which users find products, services and

processes interesting or useful. It is typically measured by time spent interacting with products and

user satisfaction with that time spent. Engagement can be measured by a variety or combination of

activities such as downloads, clicks, interactions, shares, and more.

92. Examples of “engagement” data include:

a. For social or traditional media sites: daily usage, views, time on page, pages

per visit, ad clicks, searches, comments, or shares;

b. For streaming music apps: daily usage, time spent in app, songs listened to,

playlists created, friends added;

c. For an e-commerce store: monthly usage, adding items to cart;

d. For a personal finance app: weekly usage, sync bank accounts, create a

budget, enable notifications, view dashboard; and

e. Enterprise software: Monthly usage, create reports, share reports, invite

users.

93. Examples of specific metrics used by online entities to track this engagement include

daily active users (DAU), cost-per-acquisition, and ROI. The relative value of these metrics varies

by business. For example, high engagement via views or clicks might be good for a news site but


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


not for an insurance app, where more usage might suggest that a user is about to file a claim. Higher

engagement leads to higher profits when additional activity leads to purchases, signups,

subscriptions, ad views, or clicks.

94. Product and marketing teams typically measure user engagement to understand the

factors that contribute to higher engagement and use product analytics measure what features affect

user behavior. Product analytics and active user engagement data important selling points to

advertisers and those who will pay to influences user behavior, whether that is to purchase

something, vote or take some other action.

95. By inducing more personal and more active engagement, Google can therefore

increase its profitability. Because this is a revenue-generating exercise, analytics teams at Google

are incentivized to engage in detailed analysis of both how to stimulate more engagement, and also

the value of each kind of engagement and the data that it generates. Put differently, specific user

engagement are assigned economic value.

96. By analyzing user flow—where users spend time, how they interact with others,

when they disengage with a site or app or maybe interested in paying more to upgrade—Google

can learn valuable insights into how to influence users’ choices and how to target them for Google’s

partners. User flow is analyzed by using precisely the metrics at issue in this action.

97. Indeed, Google was a pioneer in this field, and Google products help developers

create Engagement Scores for users.14 In June 2011 Google acquired PostRank, specifically

because PostRank had an effective tool for measuring user engagement. According to a Google

spokesperson at that time, Google is “always looking for new ways to measure and analyze data,”

and PostRank would help “make this data more actionable and accountable [through] an innovative

approach to measuring web engagement [that can ] help us improve our products for our users and

advertisers.15

14 https://www.chromium.org/developers/design-documents/site-engagement

15 https://techcrunch.com/2011/06/03/google-acquires-postrank-an-analytics-service-for-the-social-web/


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


98. As applied here, the data that Chrome has sent to Google in violation of its promises

not to do so is integral to the calculation of users’ engagement scores. It can also be tied to specific

profitability.

99. The most powerful of all of these may be the x-client-referrer header, described

above. Because it is all-pervasive and impossible to remove from users’ activity, the richness of

the data Google collects has higher value than disconnected data points of less robust detail.

100. By targeting advertising at users who have a higher amount of “tracked”

engagement, Google can increase the profits they make from gathering that data.

101. An “untracked” user may only be shown generic ads. Such ads, in turn, tend to yield

a lower engagement rate and therefore generate less profit for Google. A “tracked” user’s browsing,

in contrast, yields greater data for Google to target and is also a more lucrative target in its own

right. The more active a user is, the more vulnerable to targeting she is, and more valuable as well.

102. In addition, promising a user that she is free from tracking induces a different set of

expectations and also a different kind of engagement. Specifically, one would expect a user to

engage more actively and more intimately under the belief that she is untracked. She may also

engage with different types of content than she would if she knew she were being surveilled,

exposing them as relevant for further categories of valuable advertising.

103. Tracking users’ engagement across Google’s advertising products also allows

greater optimization of those advertising products, with respect to those individual users, to increase

the likelihood of their future engagement with ads, further increasing Google’s ability to generate

profit.

104. By sending to Google Un-Synced Chrome users’ data reflecting their behavior,

Google is able to draw a more complete picture of those users, even when they had not opted-in to

such tracking.

105. All of this results in concrete, ascertainable financial gain for Google, directly

attributable by the increased user engagement. Those profits can be identified and quantified;

indeed, teams of analysts at Google are engaged in precisely this process.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


E. How Google Instructs Chrome to Report PI to Google

106. Chrome is a web-browser—a software application that enables users to exchange

electronic communications over the Internet.

107. Every website is hosted by a computer server through which the entity or person in

charge of the website exchanges communications with Internet users via users’ web-browsers.

108. The process through which Chrome transmits communications between users and

the first-party websites with which users are communications is called packet-switching.16

109. The prior technology through which phone communications were transmitted was

called circuit-switching. With circuit-switching, the service provider would establish a single

pathway (or circuit) through which the content of a communication would flow between the parties

to the communication. The problem with circuit-switching is that, if the single path becomes

blocked, the communication fails.

110. Enter packet-switching. With packet-switching, there is no single, dedicated path

through which the contents of a communication flow. Instead, the contents of a communication are

broken down into dozens, hundreds, or thousands of packets—each of which is routed over a

network with different paths to the destination. Each packet contains part of the content and

information about its destination. Each packet travels independently to the destination and every

packet may travel by a different route to the destination. As the packets arrive, they are arranged

by the device to which they are sent. Only at the end are they put both together and the

communication formed. The path of each packet, and the order in which each packet arrives, is not

relevant to the ultimate success of a communication. Some packets may get stopped in the

process—in which case they are resent down a different path.

111. Packet-switching is now ubiquitous. For example, all 4G and 5G voice or data

communications are made via packet-switching technology.

112. Thus, although common imagination may suppose that a modern cellphone call or

internet communication involves a direct line of communication between the participants to the

16 Packet-switching is also explained in U.S. v. Szymuszkiewicz, 622 F.3d 701, 704 (7th Cir. 2010).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


communication, that is not true at all. Through packet-switching, the contents of the communication

are broken down into dozens, hundreds, or thousands of different packets that are exchanged

through separate pathways between the parties to the communication.

113. On the Internet, when a user begins a communication with a website, the user’s

browser starts and continues several processes all at once. These simultaneous processes include:

a. sending contents of the users’ side of the communication to the website;

b. receiving and rendering the website’s side of the communication;

c. placing the content of the communication in temporary and intermediate

storage, and;

d. in some cases, re-directing the contents of the communication to third-parties;

114. The basic commands that Chrome uses to send the users’ side of a communication

are called GET and POST requests.

115. When a user types https://www.mercurynews.com/2020/05/24/qa-mental-health-

tips-for-handling-the-pandemic/ into her browser (or takes the technological shortcut of clicking a

hyperlink), Chrome contacts the website hosting the Mercury News and sends the following

communication: “GET 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic/”.

116. If instead the user were filling out a form on that website and clicks a button to

submit the information in the form, Chrome similarly makes connection with the website server

but instead sends a “POST” request that includes the specific content that the user placed in the

form.

117. When a user clicks a hyperlink or hits ENTER to send a communication, Chrome

determines whether it is a GET or POST request based on the source code within the browser or

the current website with which the user is communicating. The browser then simultaneously:

a. Places the contents of the GET or POST request in storage in the browser’s

web-browsing history and short-term memory; and

b. Connects to and begins a back-and-forth the two-way communication

exchange between the user and the website.

118. Chrome stores the contents of the communication for at least two purposes:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


a. content is placed in the browser’s short-term memory so that, if the user’s

web-browser crashes unexpectedly, when the user re-starts their browser, the

browser will be able to offer the user the ability to return to their last

communications prior to the browser’s crash; and

b. The content is placed in the user’s browsing history and the user’s future

reference for 90 days.

119. For short-term memory, if Chrome crashes unexpectedly and the user re-opens it,

Chrome provides the user with the following options at the upper right-hand side of the screen:

120. This short-term storage is for purposes of back-up protection.

121. The storage for 90 days in the user’s browsing history is temporary, intermediate

storage incidental to the contemporaneous transmission of the communication.

122. In response to receiving a GET or POST request from a user, the server for the

website with which the user is exchanging a communication will send a set of instructions to

Chrome, commanding Chrome with source code on:

a. How to render the website’s portion of the communication; and

b. In some cases (up to 86 percent of popular websites), using source code

provided by Google and specifically designed to command the Chrome to

contemporaneously re-direct the precise content of the GET or POST part of

the communication to Google and its various entities attached to personal


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


information and other browser-generated data about the content of the

website’s portion of the communication.

123. Google instructs developers to place its source code that commands Chrome to

contemporaneously re-direct the contents of the communication exchanged between the user and

the website to Google in the website’s header—i.e., before the website’s instructions regarding the

contents of its side of the communication. For example, for Google Tag Manager, Google instructs

developers to place its code “as close to the opening tag as possible on every page of your

website[.]”17

124. Google’s placement is designed to put priority on the re-directions of content and

user personal information from Chrome to Google. By placing the re-direction commands first,

Google ensures that the re-direction will occur as soon as possible so that Google will be able to

collect the contents and personal information even if the user quickly changes their mind or the

browser unexpectedly shuts down before the communication transmissions are complete.

125. The transmission process between Chrome and the website server is not discrete,

but instead involves a series of rapid, continuing, simultaneous data exchanges between Chrome

and the website server with data flowing both ways throughout the process and through dozens,

hundreds, or even thousands of different paths to reach their destination at the user or website.18

126. The data and content exchanges between Chrome and the website server continue

even after it appears that the website’s portion of the communication has been fully rendered on

the user’s screen.

127. At the same time that the transmission and content exchange of the communication

is happening between the user’s browser and the website server (i.e. the devices), the contents of

the communication (including the user’s specific request and information about the substance of

website’s side of the communication) are re-directed to third-parties.

17 See https://developers.google.com/tag-manager/quickstart

18 In one example of which counsel is aware, a recording of a single 288 second communication resulted in 22,779 separate packet transmissions—or 79 data packet transmissions per second.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


144. The following charts compare the PI that Chrome sends to Google when the browser

is one of three states: first, when the user has affirmatively synched with another Google Account

(called “synched” below); second, when the user is not synched, but logged into another Google

service such as Gmail (“un-synched, with Gmail log-in”); and third, when the user is neither

synched nor logged into any other Google account (“un-synched, logged out”). As the test results

below confirm, Google causes Chrome to send PI to itself even when a Chrome user has not

authorized the data collection by synching.

145. Chrome copies and re-directs the content of the user’s GET request (the one asking

for the article on mental health) to Google Ads, Google DoubleClick, and Google Analytics in

identical fashion regardless of whether the user is synched.

PERSONAL INFORMATION CHROME SENDS TO ALL GOOGLE CONTENT OF COMMUNICATION WITH THE MERCURY NEWS

Identical for All Browser-States and All Google Entity Recipients Synched 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic

Un-Synched, Gmail Login 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic

Un-Synched, no Gmail Login 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic.html

146. Similarly, the x-client-data header Chrome sends to Google Ads, Google

DoubleClick, and Google Analytics is identical regardless of whether the user is synched:

PERSONAL INFORMATION CHROME SENDS TO GOOGLE

X-CLIENT-DATA-HEADER Identical for All Browser-States and All Google Entity Recipients Except Analytics

Synched CKy1yQEIkbbJAQimtskBCMS2yQEIqZ3KAQjnyMoBCLTLygE=

Un-Synched, Gmail Login CKy1yQEIkbbJAQimtskBCMS2yQEIqZ3KAQjnyMoBCLTLygE=

Un-Synched, no Gmail Login CKy1yQEIkbbJAQimtskBCMS2yQEIqZ3KAQjnyMoBCLTLygE=

147. Similarly, the IP address and User-Agent data Chrome sends to Google Ads, Google

DoubleClick, and Google Analytics is identical regardless of whether the user is synched.

148. Similarly, the Google Analytics “cid” cookie or “Client ID” that Chrome sends to

Google is identical regardless of whether the user is synched:

PERSONAL INFORMATION CHROME SENDS TO ALL GOOGLE

“CID” – “CLIENT ID” COOKIE VALUE Identical for All Browser-States and All Google Entity Recipients

Synched cid=2007029474.1595353114

Un-Synched, Gmail Login cid=2007029474.1595353114

Un-Synched, no Gmail Login cid=2007029474.1595353114


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


149. The third-party cookie data Chrome sends to Google Ads is identical for at least 11

different persistent, unique cookies for Un-Synched Chrome users regardless of whether signed

into Gmail, but not transmitted to Google if the Un-Synched Chrome user is not also logged into

Gmail:

PERSONAL INFORMATION CHROME SENDS TO GOOGLE ADS UNIQUE, PERSISTENT THIRD-PARTY COOKIE VALUES

Identical for Synched and Un-Synched w/ Gmail Login Synched SID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEgeQPEJdMF0tShKy

XCg_BgOS7PQHBWgLiW71F4Q.

__Secure-3PSID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEge QPEJdMF0tShKyXryW3ljJQRAkrQ 0hbzqbBHg. HSID=AFuEZ4mCJy32UrJK7 SSID=Aw06H6mNsRcQYQjqA APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB SAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7apJgjE __Secure-HSID=AFuEZ4mCJy32UrJK7 __Secure-SSID=Aw06H6mNsRcQYQjqA __Secure-APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB __Secure-3PAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7ap JgjENID=204=Yc40KkubQ69v_6cmRVkl6eEK6FPzgNcuct N7ndjgcsBeMwUO4uxFOCBmFTLG0HNLk7p13a0Le2tnE gjOllwZi62Jh4f4fjKFXMR8pL0Z4GqbjlUtejOv3Nvhtf1D n63dABgRTnJlRXPklAsY5hCMQfLCHCAKIrg01U p3q7q2fFN3Aj8lXaT9g12rT5QtcNgJAZP8dKmLevACA

Un-Synched, Gmail Login SID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEgeQPEJdMF0tShKy XCg_BgOS7PQHBWgLiW71F4Q.

__Secure-3PSID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEge QPEJdMF0tShKyXryW3ljJQRAkrQ 0hbzqbBHg. HSID=AFuEZ4mCJy32UrJK7 SSID=Aw06H6mNsRcQYQjqA APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB SAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7apJgjE __Secure-HSID=AFuEZ4mCJy32UrJK7 __Secure-SSID=Aw06H6mNsRcQYQjqA __Secure-APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB __Secure-3PAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7ap JgjENID=204=Yc40KkubQ69v_6cmRVkl6eEK6FPzgNcuct N7ndjgcsBeMwUO4uxFOCBmFTLG0HNLk7p13a0Le2tnE gjOllwZi62Jh4f4fjKFXMR8pL0Z4GqbjlUtejOv3Nvhtf1D n63dABgRTnJlRXPklAsY5hCMQfLCHCAKIrg01U p3q7q2fFN3Aj8lXaT9g12rT5QtcNgJAZP8dKmLevACA

Un-Synched, no Gmail Login none


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


150. Despite Google’s demonstrated ability above to block the transmission of some

cookies, it still causes others to be transmitted, as noted below, regardless of whether the user is

synched:

151. Finally, Chrome sends other third-party cookie personal identifiers that qualify as

personal information, regardless of whether the user is synched. These other cookies have values

that change based on log-in status, but which are associated with the cookie values that are identical

across all browser-states, making them reasonably capable of being associated with specific users:

152. Combined, the data that Google causes Chrome to send to itself (illustrated above)

demonstrates that Google has designed Chrome to collect massive amounts of user personal

information and linked to websites visited, regardless whether the Chrome user synched.

153. Even worse, most of the PI is collected in forms other than cookies (for example, IP

address + user-agent data and the x-client-data identifier) meaning that Chrome will still transmit

the data even if the user is using cookie blockers.

PERSONAL INFORMATION CHROME SENDS TO GOOGLE DOUBLECLICK THIRD-PARTY COOKIES – IDE identical for all browser states

Synched IDE=AHWqTUluD72jj7k5Rr5ipWiIeEiyaUdEyFm-

N1x6ZCPzZOfbTN0bUarkMjwuYJMV

Un-Synched, Gmail Login IDE=AHWqTUluD72jj7k5Rr5ipWiIeEiyaUdEyFm-


Un-Synched, no Gmail Login IDE=AHWqTUluD72jj7k5Rr5ipWiIeEiyaUdEyFm-


PERSONAL INFORMATION CHROME SENDS TO GOOGLE DOUBLECLICK COOKIE SYNCHING

Identical for All Browser-States Synched ID=8067c38bf1d71e0f:T=1595353118:S=ALNI_MacZyW8MLDn-

omh5WOAbbL6y_qlGA

Un-Synched, Gmail Login ID=8067c38bf1d71e0f:T=1595353118:S=ALNI_MacZyW8MLDn-

omh5WOAbbL6y_qlGA

Un-Synched, no Gmail

Login

ID=8067c38bf1d71e0f:T=1595353118:S=ALNI_MacZyW8MLDn-

omh5WOAbbL6y_qlGA


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


about her and will use that data to place Kindler in advertising categories from which Google will

profit from targeted advertising to her based on data that it did not have the right to obtain.

H. Google’s Improper Collection of PI from Plaintiffs and Other Un-Synched Chrome Users is a Serious Invasion of the Privacy and is Highly Offensive

194. Chrome is now the most widely used browser in the world and is used by 59 percent

of all desktop computers in the United States.19

195. Article I, § 1 of the California Constitution provides: “All people are by nature free

and independent and have inalienable rights. Among these are enjoying and defending life and

liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety,

happiness, and privacy.” The phrase “and privacy” was added by the “Privacy Initiative” adopted

by California voters in 1972.

196. The right to privacy in California’s constitution creates a right of action against

private as well as government entities.

197. The principal purpose of this constitutional right was to protect against unnecessary

information gathering, use and dissemination by public and private entities, including computer-

stored and generated dossiers and cradle-to-grave profiles on every American.

198. In its public statements, Google pays lip-service to the need to protect the privacy

of Internet communications. For example, On June 6, 2016, a coalition of technology companies

and privacy advocates came together to oppose Congressional efforts to expand government

surveillance of online activities through the Senate’s Intelligence Authorization Act for Fiscal Year

2017 and Senator Cornyn’s proposed amendments to the ECPA.

199. The joint letter, signed by the ACLU, Amnesty International and others was also

signed by Google. These organizations and companies argued (correctly) that obtaining sensitive

information about Americans’ online activities without court oversight was an unacceptable

privacy harm because it “would paint an incredibly intimate picture of an individual’s life” if it

19 Browser Market Share United States of America: May 2019 – May 2020, GlobalStats, https://gs.statcounter.com/browser-market-share/all/united-states-of-america (last visited June 19, 2020).


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


included “browsing history, email metadata, location information, and the exact date and time a

person signs in or out of a particular online account.”

200. The letter further posited that the proposed online surveillance could “reveal details

about a person’s political affiliations, medical conditions, religion, substance abuse history, sexual

orientation” and even physical movements. The letter concluded that online surveillance raises

“civil liberties and human rights concerns.”

201. Google has also publicly declared that non-consensual electronic surveillance is

“dishonest” behavior. For example, earlier this month, Google announced an update to its

“Enabling Dishonest Behavior Policy” (effective August 11, 2020) restricting advertising for

spyware and surveillance technology. The new policy, without any hint of irony, will now “prohibit

the promotion of products or services that are marketed or targeted with the express purpose of

tracking or monitoring another person or their activities without their authorization.”

202. Through this new amendment to Google’s pre-existing policy, Google now

explicitly takes the position that nonconsensual surveillance of “browsing history” is “dishonest

behavior.”

203. Google has also publicly declared privacy to be a human right. In 2004 in a letter

from Google’s founders to shareholders at the IPO (included with the Company’s S-1 Registration

Statement filed with the SEC), Google declared its goal to “improve the lives of as many people as

possible.” This letter appears today on Google’s website on a page touting the company’s

commitment to be guided by “internationally recognized human rights standards,” including

specifically the human rights enumerated in three documents: The Universal Declaration of Human

Rights; the United Nations Guiding Principles on Business and Human Rights; and the Global

Network Initiative (“GNI”) Principles.

204. All three of these documents confirm that privacy is a human right and a violation

of privacy rights is a violation of human rights.

205. For example, the Universal Declaration declares that no one should be subject to

arbitrary interference with privacy, and even declares the right to the protection of laws against

such interference.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


206. Similarly, the UN Guiding Principles for business identify privacy as a human right.

207. The third document, the GNI Principles, has an entire section dedicated to privacy

that begins: “Privacy is a human right and guarantor of human dignity. Privacy is important to

maintaining personal security, protecting identity and promoting freedom of expression in the

digital age.”

208. Finally, although not mentioned on Google’s website, in 1992 the United States

ratified the International Covenant on Civil and Political Rights, a human rights treaty that

guarantees privacy rights in Article 17.

I. Plaintiffs’ PI Is Property Owned by the Plaintiffs and Has Economic Value

209. The value of personal data is well understood and generally accepted as a form of

currency.

210. It is by now incontrovertible that a robust market for this data undergirds the tech

economy.

211. The robust market for user data has been analogized to the “oil” of the tech

industry.20 A 2015 article from TechCrunch accurately noted that “Data has become a strategic

asset that allows companies to acquire or maintain a competitive edge.”21 That article noted that

the value of a single Internet user—or really, a single user’s data—varied from about $15 to more

than $40.

212. The Organization for Economic Cooperation and Development (“OECD”) itself has

published numerous volumes discussing how to value data such as that which is the subject matter

of this Complaint, including as early as 2013, with its publication “Exploring the Economic of

20 The world’s most valuable resource is no longer oil, but data, The Economist (May 6, 2017), https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data.

21 Pauline Glickman and Nicolas Glady, What’s the Value of Your Data? TechCrunch (Oct. 13, 2015), https://techcrunch.com/2015/10/13/whats-the-value-of-your-data/.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


Personal Data: A Survey of Methodologies for Measuring Monetary Value”.22 The OECD

recognizes that data is a key competitive input not only in the digital economy but in all markets:

“Big data now represents a core economic asset that can create significant competitive advantage

for firms and drive innovation and growth.”23

213. In The Age of Surveillance Capitalism, Harvard Business School Professor

Shoshanna Zuboff notes Google’s early success monetizing user data prompted large corporations

like Verizon, AT&T and Comcast to transform their business models from fee for services provided

to customers to monetizing their user’s data—including user data that is not necessary for product

or service use, which she refers to as “behavioral surplus.”24 In essence, Professor Zuboff explains

that revenue from user data pervades every economic transaction in the modern economy. It is a

fundamental assumption of these revenues that there is a market for this data; data generated by

users on Google’s platform has economic value.

214. This is old news. In 2012, Google’s Chief Economist Hal Varian, in conversation

with the Economist, referred to one aspect of data’s value as “nowcasting,” or “contemporaneous

forecasting”—basically an ability to predict what is happening as it actually occurs.”25 This kind

of information clearly has economic value.

215. Professor Paul M. Schwartz writing in the Harvard Law Review, notes:

Personal information is an important currency in the new millennium. The monetary value of personal data is large and still growing, and corporate America is moving quickly to profit from the trend. Companies view this information as a corporate asset and have invested heavily in software that facilitates the collection of consumer information.

22 Exploring the Economic of Personal Data: A Survey of Methodologies for Measuring Monetary Value, OECD Digital Economy Paper No. 220 at 7 (Apr. 2, 2013), http://dx.doi.org/10.1787/5k486qtxldmq-en.

23 Supporting Investment in Knowledge Capital, Growth and Innovation, OECD, at 319 (Oct. 13, 2013), https://www.oecd-ilibrary.org/industry-and-services/supporting-investment-in-knowledge-capital-growth-and-innovation_9789264193307-en.

24 Shoshanna Zuboff, The Age of Surveillance Capitalism 166 (2019).

25 K.N.C., Questioning the searches, The Economist (June 13, 2012), https://www.economist.com/schumpeter/2012/06/13/questioning-the-searchers.


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28


216. This economic value has been leveraged largely by corporations who pioneered the

methods of its extraction, analysis, and use. However, the data also has economic value to users.

Market exchanges have sprung up where individual users like Plaintiffs herein can sell or monetize

their own data. For example, Nielsen Data and Mobile Computer will pay users for their data.26

Google itself has launched apps that pay users for their data directly.27 Likewise, apps such as Zynn,

a TikTok competitor, pay users for to sign up and interact with the app.28

217. There are countless examples of this kind of market, which is growing more robust

as information asymmetries are diminished through revelations to users as to how their data is being

collected and used.

218. Indeed, Google once paid users for the very data it now improperly harvests from

Chrome:

Google is building an opt-in user panel that will track and analyze people’s online behaviors via an extension to its Chrome browser, called Screenwise. Users that install the plug-in will have the websites they visit and the ways in which they interact with them recorded, and they will then be paid with Amazon gift cards worth up to $25 a year in return.29

219. As Professors Acquisti, Taylor and Wagman relayed in their 2016 article “The

Economics of Privacy,” published in the Journal of Economic Literature:

Such vast amounts of collected data have obvious and

Documents

BLEICHMAR FONTI & AULD LLP SIMMONS HANLY CONROY LLC … · 2020. 8. 14. · BLEICHMAR FONTI & AULD LLP 555 12 Street, Suite 1600 Oakland, CA 994607 Tel.: (415) 445-4003 Fax: (415)